ldap group search anonymous bind regression in 1.16.0 #26183
Description
Describe the bug
ldap login fails after upgrading 1.15.6->1.16.0
To Reproduce
Steps to reproduce the behavior:
0. apt install vault=1.16.0-1
vault auth enable ldap- configure ldap auth with anonymous group bind
vault write auth/ldap/config \ url=ldaps://ldap.home.arpa \ userdn="ou=People,dc=home,dc=arpa" \ userattr=uid \ discoverdn=true \ anonymous_group_search=true \ groupdn="ou=Groups,dc=home,dc=arpa" \ groupattr=cn \ groupfilter="(member={{.UserDN}})" - Run
vault login -no-print -method=ldapand enter valid username and password - See error
URL: PUT https://vault.home.arpa:8200/v1/auth/ldap/login/cnosal Code: 400. Errors: * ldap.(Client).Authenticate: group search anonymous bind failed: LDAP Result Code 53 "Unwilling To Perform": unauthenticated bind (DN with no password) disallowed
Expected behavior
DN shouldn't be sent when performing anonymous group search
Environment:
- Vault Server Version (retrieve with
vault status): 1.16.0 - Vault CLI Version (retrieve with
vault version):Vault v1.16.0 (c20eae3e84c55bf5180ac890b83ee81c9d7ded8b), built 2024-03-25T12:01:32Z - Server Operating System/Architecture: ubuntu jammy amd64
Vault server configuration file(s):
ui = true
api_addr = "ldap.home.arpa:8200"
disable_mlock = true
storage "file" {
path = "/opt/vault/data"
}
# HTTPS listener
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
}Additional context
The ldap configuration worked with vault 1.15.6.
The LDAP server allows anonymous reads.